CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-34045: WeiPHP Path Traversal Arbitrary File Read

8.7 CVSS

Description

A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code.

Classification

CVE ID: CVE-2025-34045

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE-20 Improper Input Validation

Affected Products

Vendor: Shenzhen Yuanmengyun Technology Co., Ltd.

Product: WeiPHP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.8% (probability of being exploited)

EPSS Percentile: 73.12% (scored less or equal to compared to others)

EPSS Date: 2025-07-09 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34045
https://www.cnvd.org.cn/flaw/show/CNVD-2020-68596
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cnvd/2020/CNVD-2020-68596.yaml
https://vulncheck.com/advisories/weiphp-path-traversal-file-read

Timeline

2025-06-26 16:40:11 UTC
CVE

WeiPHP Path Traversal Arbitrary File Read